Add DNS service records for Windows

https://fedorahosted.org/freeipa/ticket/1939

3 files changed, 64 insertions, 3 deletions

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 9a6e61c2c..87fecbfb4 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -45,6 +45,9 @@ def parse_options():
                       type="ip", ip_local=True, help="Master Server IP Address")
     parser.add_option("--netbios-name", dest="netbios_name",
                       help="NetBIOS name of the IPA domain")
+    parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
+                      default=False, help="Do not create DNS service records " \
+                                          "for Windows in managed DNS server")
     parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
                       default=False, help="unattended installation never prompts the user")
 
@@ -197,7 +200,7 @@ def main():
         api.Backend.ldap2.connect(ccache)
 
     smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
-              netbios_name)
+              netbios_name, options.no_msdcs)
     smb.create_instance()
 
     print "=============================================================================="
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index a3981adf4..b61da1908 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -39,6 +39,9 @@ The IP address of the IPA server. If not provided then this is determined based
 \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
 The NetBIOS name for the IPA domain. If not provided then this is determined based on the leading component of the DNS domain name.
 .TP
+\fB\-\-no\-msdcs\fR
+Do not create DNS service records for Windows in managed DNS server
+.TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .SH "EXIT STATUS"
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index f655b2004..ee50a4306 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -25,7 +25,9 @@ import tempfile
 import installutils
 from ipaserver import ipaldap
 from ipaserver.install.dsinstance import realm_to_serverid
-from ipalib import errors
+from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
+                                           dns_zone_exists
+from ipalib import errors, api
 from ipapython import sysrestore
 from ipapython import ipautil
 from ipapython.ipa_log_manager import *
@@ -245,6 +247,56 @@ class ADTRUSTInstance(service.Service):
         except ipautil.CalledProcessError, e:
             root_logger.critical("Failed to add key for %s" % cifs_principal)
 
+    def __add_dns_service_records(self):
+        """
+        Add DNS service records for Windows if DNS is enabled and the DNS zone
+        is managed. If there are already service records for LDAP and Kerberos
+        their values are used. Otherwise default values are used.
+        """
+
+        zone = self.domain_name
+        host = self.fqdn.split(".")[0]
+
+        ipa_srv_rec = (
+            ("_ldap._tcp", ["0 100 389 %s" % host]),
+            ("_kerberos._tcp", ["0 100 88 %s" % host]),
+            ("_kerberos._udp", ["0 100 88 %s" % host])
+        )
+        win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs",
+                          ".dc._msdcs")
+
+        err_msg = None
+        ret = api.Command.dns_is_enabled()
+        if not ret['result']:
+            err_msg = "DNS management was not enabled at install time."
+        else:
+            if not dns_zone_exists(zone):
+                err_msg = "DNS zone %s cannot be managed " \
+                          "as it is not defined in IPA" % zone
+
+        if err_msg:
+            print err_msg
+            print "Add the following service records to your DNS server " \
+                  "for DNS zone %s: " % zone
+            for (srv, rdata) in ipa_srv_rec:
+                for suff in win_srv_suffix:
+                    print " - %s%s"  % (srv, suff)
+            return
+
+        for (srv, rdata) in ipa_srv_rec:
+            ipa_rdata = get_rr(zone, srv, "SRV")
+            if not ipa_rdata:
+                ipa_rdata = rdata
+
+            for suff in win_srv_suffix:
+                win_srv = srv+suff
+                win_rdata = get_rr(zone, win_srv, "SRV")
+                if win_rdata:
+                    for rec in win_rdata:
+                        del_rr(zone, win_srv, "SRV", rec)
+                for rec in ipa_rdata:
+                    add_rr(zone, win_srv, "SRV", rec)
+
     def __start(self):
         try:
             self.start()
@@ -277,12 +329,13 @@ class ADTRUSTInstance(service.Service):
                              LDAPI_SOCKET = self.ldapi_socket)
 
     def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
-              smbd_user="samba"):
+              no_msdcs=False, smbd_user="samba"):
         self.fqdn =fqdn
         self.ip_address = ip_address
         self.realm_name = realm_name
         self.domain_name = domain_name
         self.netbios_name = netbios_name
+        self.no_msdcs = no_msdcs
         self.smbd_user = smbd_user
         self.suffix = ipautil.realm_to_suffix(self.realm_name)
         self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % realm_to_serverid(self.realm_name)
@@ -311,6 +364,8 @@ class ADTRUSTInstance(service.Service):
         self.step("Adding cifs Kerberos principal", self.__setup_principal)
         self.step("Adding admin(group) SIDs", self.__add_admin_sids)
         self.step("configuring smbd to start on boot", self.__enable)
+        if not self.no_msdcs:
+            self.step("adding special DNS service records", self.__add_dns_service_records)
         self.step("starting smbd", self.__start)
 
         self.start_creation("Configuring smbd:")